March 2010 Author: [email protected]
March 2010
Author: [email protected]
2
1. Code Quality Control Introduction
2. Code Analysis & Code Metrics
3. New Tools for Code Analysis – Gendarme & Sonar
4. Code Review Process
5. Q & A
•Functionality • Satisfy stated or implied needs
•Efficiency • Relationship between performance and resource used
•Maintainability • Can bear specified modifications
•Portability • Transfer from one environment to another
•Reliability • Run under stated conditions for a stated period of time
•Usability • Use by a stated or implied set of users easily
3
•Architecture & Design • Maintainability, Performance,
Internationalization
•Comments • Percentage, Docu & Undocu.API,
Commented LOCs
•Coding rules • Compliance (&), Naming, Correctness,
•Potential Bugs • Correctness, Security, Multithreaded
•Complexity • Methods, Classes, Dependencies
•Unit tests • Success (%), Coverage
•Duplications • Duplicated blocks, lines
4
•Convention covers naming, comments and format
conventions
• Is there javadoc on public methods
• Is the project following MSDN naming conventions
• Is the code written with a consistent format
•Bad practices consists of well known behaviors that
almost systematically lead to difficulties over time
• Catching an exception without doing anything
• Having dead code
• Too many complex methods
•Potential bugs helps you detect what is not clearly
visible in the code and understand why sequences of code could lead to potential bugs
• Synchronization on Boolean could lead to deadlock
• Multithreaded call to static attributes
• Array is stored directly
“Checkstyle is a stupid tool consuming time to search for tab characters when PMD is a smart one that can do the job alone as a good soldier, Findbugs is very good for resource consumption and Macker is… uh, what is Macker?“
5
•Number of Classes • Total number of classes in the selected scope
•Number of Children • Total number of direct subclasses of a class. A interface implementing counts as a direct child of that
interface
•Number of Interfaces • Total number of interfaces in the selected scope
•Depth of Inheritance Tree (DIT) • Distance from class Object in the inheritance hierarchy
•Number of Overridden Methods (NORM) • Total number of methods in the selected scope that are overridden from an ancestor class
•Number of Fields • Total number of fields defined in the selected scope
•Lines of Code • Total number of code (Physical or logical) in the selected scope
6
•Specialization Index • A class level metric (defined as NORM * DIT / NOM)
•McCabe Cyclomatic Complexity • Counts the number of flows through a piece of code. Each time a branch occurs (if, for, while, do, case,
catch and the ?: ternary operator, as well as the && and || conditional logic operators in expressions) this metric is incremented by one. Calculated for methods only
•Weighted Methods per Class (WMC) • Sum of the McCabe Cyclomatic Complexity for all methods in a class
•Lack of Cohesion of Methods (LCOM*) • Calculated with the Henderson-Sellers method (If (m(A) is the number of methods accessing an attribute
A, calculate the average of m(A) for all attributes, subtract the number of methods m and divide the result by (1-m))
•Afferent/Efferent Coupling (Ca/Ce) • The number of classes outside/inside a package that depend on classes inside/outside the package
•Instability (I) • Ce / (Ca + Ce)
•Abstractness (A) • The number of abstract classes (and interfaces) divided by the total number of types in a package
7
•Convention covers naming, comments and format conventions
• Is there javadoc on public methods
• Is the project following MSDN naming conventions
• Is the code written with a consistent format
•Bad practices consists of well known behaviors that almost systematically lead to difficulties over time
• Catching an exception without doing anything
• Having dead code
• Too many complex methods
•Potential bugs helps you detect what is not clearly visible in the code and understand why sequences of code could lead to potential bugs
• Synchronization on Boolean could lead to deadlock
• Multithreaded call to static attributes
• Array is stored directly
•Number of Classes
•Number of Children
•Number of Interfaces
•Depth of Inheritance Tree (DIT)
•Number of Overridden Methods (NORM)
•Number of Fields
•Lines of Code
•Specialization Index
•McCabe Cyclomatic Complexity
•Lack of Cohesion of Methods (LCOM*)
•Afferent/Efferent Coupling (Ca/Ce)
•Instability (I)
•Abstractness (A)
8
“Code Analysis is a kind of multifarious and boring thing, is there any tools can help automated this?”
9
•Ncover • Get your application test status (%) (CIL)
•StyleCop • Get your code convention Compliance status (source code level)
10
It is far from enough to help us pursuit of highest quality code!
•Gendarme • A extensible rule-based tool to find
problems in .NET applications and libraries
• Inspects programs and libraries that contain code in ECMA CIL format (Mono and .NET)
• Looks for common problems with the code, problems that compiler do not typically check or have not historically checked
• Easy to use, report friendly
• http://www.mono-project.com/Gendarme
11
12
Gendarme - Assembly
Bad Practice
Design
Gendarme - Type
13
Gendarme - Method
14
Gendarme - Task
15
Load task - NauckIT.NAnt.dll
Nant target – Full example
Gendarme - Report
16
•Sonar • All in one (Architecture & design,
comment, coding rules, potential bugs…)
• A continuous quality control tool for Java applications. Join the existing continuous integration tools to place all development projects under quality control
• A web-based application. Rules, alerts, thresholds, exclusions, settings
• Findbugs, CheckStyle, PMD, extend with plugins
• Based on Maven
• http://sonar.codehaus.org/
17
• A static analysis tool that examines your class or JAR files by matching the bytecodes against a list of bug patterns (similar with Gendarme)
• Examples of problems found • Db connection, null pointer dereference
• Integrate FindBugs into build process
• Development phase, build phase, Code Review phase, Maintained phase
• Generate meaningful results • SCM, HTML report
• Determine what you will do the results of FindBugs
• http://findbugs.sourceforge.net/api/edu/umd/cs/findbugs/Detector.html
18
Sonar- FindBugs
• Scan Java source code and looks for potential problems
•Empty try/catch/finally/switch statements, duplicate code, dead code
• Write Java code adheres to a coding standard (code convention)
• Integrate into build process • Development phase, build phase, Code Review phase
• Similar with StyleCop
• http://pmd.sourceforge.net/
• http://checkstyle.sourceforge.net/
19
Sonar- PMD & CheckStyle
• Install & Configure Maven
• Run bin\windows-x86-32\StartSonar.bat
• Run mvn clean install sonar:sonar
• Browse to http://localhost:9000
20
Sonar- Run
Sonar- Report (Bird’s eye view)
•Start early
•Don’t Compromise
•Schedule time to lower your technical debt
•Make it work; make it right (right away)
•Requires monitoring and changing behavior
•Be willing to help and be helped
•Devise lightweight non-bureaucratic measures
22
Ways to Improve Quality
Activity Summary with Input and Output
Input Step Output
•Requirements •Code (including list of changes since last review) •Constraints
•Step 1. Identify code review objectives
•Code review objectives
•Code •Code review objectives
•Step 2. Perform automated review •Suspicious list
•Code •Code review objectives •Suspicious list
•Step 3. review manual review •To be improved list
•Code •Code review objectives
•Step 4. perform automated review
•Final report
Note: code can be merged into main line in Perforce only after code review
23
24
What I like most about programming is that everything comes with a reason
25